Skip to content

GSA/odp-tf-aws-ref-arch-iam

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

odp-tf-aws-ref-arch-iam

Overview

The odp-tf-aws-ref-arch-iam module is used to configure X resources.

Table of Contents

Module Contents

Folder / File Description
main.tf Main Terraform code
variables.tf Required Variables
output.tf Output variables
example/ Example directory that contains the configuration necessary to deploy the project.
.circleci CI Pipeline code for validating module. Requires working example in example directory.

Module Variables

Inputs

The following variables need to be set either by setting proper environment variables or editing the variables.tf file:

Variable Type Description
aws_region string Default region for region specific settings.
env string Environment used in naming resources
aws_account_id string AWS Account to configure
ip_whitelist string IP address list ( CIDR ) to allow remote access into the accoutn
project string Project name to that makes up part of prefix for resources.

variable "project" { description = "Project name" }

Outputs

The following variables need to be set either by setting proper environment variables or editing the variables.tf file:

Variable Type Description

Module Setup

Required IAM

Example

provider "aws" {
  region  = "us-east-1"
}

variable "aws_region" {
  type = string
  description = "Default region used by some modules"
  default = "us-east-1"
}

variable "env" {
  description = "AWS region to launch servers."
  default     = "sandbox"
}

variable "aws_account_id" {
  description = "aws account ID"
  default = "xxxxxx"
}

variable "ip_whitelist" {
  description = "source IP whitelist"
  default = "10.1.1.0/24"
}

variable "project" {
  description = "Project name"
  default = "odp-ref-arch"
}

module "iam" {
  source = "../"
  aws_region = "${var.aws_region}"
  env = "${var.env}"
  aws_account_id = "${var.aws_account_id}"
  ip_whitelist = "${var.ip_whitelist}"
  project = "${var.project}"
}

Resources Created

Policies

  • force_mfa
  • remote_access
  • assume_iam_admin_operations
  • assume_full_admin_management
  • incident_response_secops
  • iam_admin_operations
  • full_admin_management

NOTE: All resources are prefixed with the value assigned to the variable project. Example:myresource becomes ${project}-myresource

Password Policy

This module sets the default password policy.

Roles

NOTE: All resources are prefixed with the value assigned to the variable project. Example:myresource becomes ${project}-myresource

  • management_org_admin
  • full_admin_management
  • iam_admin_operations
  • config
  • cloudwatch_delivery

Groups

NOTE: All resources are prefixed with the value assigned to the variable project. Example:myresource becomes ${project}-myresource

  • devsecops
  • default
  • security_assessment
  • security_operations
  • finance
  • user_management
  • full_admin
  • incident_response